# Asymmetric keys in Amazon KMS An *asymmetric KMS key* represents a mathematically related public key and private key pair. You can give the public key to anyone, even if they're not trusted, but the private key must be kept secret. In an asymmetric KMS key, the private key is created in Amazon KMS and never leaves Amazon KMS unencrypted. To use the private key, you must call Amazon KMS. You can use the public key within Amazon KMS by calling the Amazon KMS API operations. Or, you can [download the public key](download-public-key.md) and use it outside of Amazon KMS. If your use case requires encryption outside of Amazon by users who cannot call Amazon KMS, asymmetric KMS keys are a good choice. However, if you are creating a KMS key to encrypt the data that you store or manage in an Amazon service, use a symmetric encryption KMS key. [Amazon services that are integrated with Amazon KMS](http://www.amazonaws.cn/kms/features/#AWS_Service_Integration) use only symmetric encryption KMS keys to encrypt your data. These services do not support encryption with asymmetric KMS keys. When signing messages larger than 4 KB with Amazon KMS, you must hash the message outside of Amazon KMS before signing. Amazon KMS provides three `MessageType` options for handling message input: `RAW` for plaintext messages (where Amazon KMS performs the hashing), `DIGEST` for pre-hashed messages (where Amazon KMS skips the hashing step), and `EXTERNAL_MU` specifically for ML-DSA KMS key specs where the input is a 64-byte representative μ value. For large messages exceeding the 4 KB limit, hash the message externally and use [https://docs.amazonaws.cn/kms/latest/APIReference/API_Sign.html#KMS-Sign-request-MessageType](https://docs.amazonaws.cn/kms/latest/APIReference/API_Sign.html#KMS-Sign-request-MessageType) (or [https://docs.amazonaws.cn/kms/latest/APIReference/API_Sign.html#KMS-Sign-request-MessageType](https://docs.amazonaws.cn/kms/latest/APIReference/API_Sign.html#KMS-Sign-request-MessageType) for ML-DSA KMS keys) when calling Amazon KMS [Sign](https://docs.amazonaws.cn/kms/latest/APIReference/API_Sign.html) and Amazon KMS [Verify](https://docs.amazonaws.cn/kms/latest/APIReference/API_Verify.html) operations. Amazon KMS supports several types of asymmetric KMS keys. **RSA KMS keys** A KMS key with an RSA key pair for encryption and decryption or signing and verification (but not both). Amazon KMS supports several key lengths for different security requirements. For technical details about the encryption and signing algorithms that Amazon KMS supports for RSA KMS keys, see [RSA key specs](symm-asymm-choose-key-spec.md#key-spec-rsa). **Elliptic Curve (ECC) KMS keys** A KMS key with an elliptic curve key pair for signing and verification or deriving shared secrets (but not both). Amazon KMS supports several commonly-used curves. For technical details about the signing algorithms that Amazon KMS supports for ECC KMS keys, see [Elliptic curve key specs](symm-asymm-choose-key-spec.md#key-spec-ecc). **ML-DSA KMS keys** A KMS key with an ML-DSA key pair for signing and verification. ML-DSA is a post-quantum cryptography standard developed by the US National Institute of Standards and Technology (NIST) to protect against the security threats posed by quantum computing. ML-DSA is the recommended digital signature algorithm for organizations transitioning from RSA or Elliptic Curve digital signature algorithms to post-quantum safe cryptography. Amazon KMS supports several key lengths for different security requirements. For technical details about the signing algorithms that Amazon KMS supports for ML-DSA KMS keys, see [ML-DSA key spec](symm-asymm-choose-key-spec.md#key-spec-mldsa). **SM2 KMS keys (China Regions only)** A KMS key with an SM2 key pair for encryption and decryption, signing and verification, or deriving shared secrets (you must choose one [Key usage](create-keys.md#key-usage) type). For technical details about the encryption and signing algorithms that Amazon KMS supports for SM2 KMS keys (China Regions only), see [SM2 key spec](symm-asymm-choose-key-spec.md#key-spec-sm). For help choosing your asymmetric key configuration, see [Choosing what type of KMS key to create](create-keys.md#symm-asymm-choose). **Regions** Asymmetric KMS keys and asymmetric data key pairs are supported in all Amazon Web Services Regions that Amazon KMS supports. **Learn more** + To create asymmetric KMS keys, see [Create an asymmetric KMS key](asymm-create-key.md). + To create multi-Region asymmetric KMS keys, see [Create multi-Region primary keys](create-primary-keys.md). + To learn how to sign messages and verify signatures with asymmetric KMS keys, see [Digital signing with the new asymmetric keys feature of Amazon KMS](https://amazonaws-china.com/blogs/security/digital-signing-asymmetric-keys-aws-kms/) in the *Amazon Security Blog*. + To learn about special considerations for deleting asymmetric KMS keys, see [Deleting asymmetric KMS keys](deleting-keys.md#deleting-asymmetric-cmks). + To identify and view asymmetric KMS keys, see [Identify asymmetric KMS keys](identify-key-types.md#identify-asymm-keys).